Quản lý và tắt cảnh báo của Windows File Protection (WFP)

How does it work?

WFP runs in the background and monitors your system for changes. When a change is applied to any file that is considered “protected,” WFP will normally (and transparently) attempt to restore the file to what it thinks is the right version. This causes one of two things to happen:

1. The file is stored locally in %SYSTEMROOT\system32\dllcache, and is hence just copied over.
2. Windows prompts you for the installation media.

On Windows 2000 Professional, the DllCache is usually around 50MB. On Server, it’s 300 whopping MB. What’s protected? A lot of stuff, including the install’s default executables, fonts, system configuration files, dlls, Active X Controls (OCX files), system drivers, and help files.

Why would anyone want to disable it?

For the most part, we view WFP as a good thing. It prevents a lot of snafus, not excluding potential attacks to your system via virii and whatnot. However, there are three main reasons you might want it removed:

1. WFP gets confused if you attempt to apply too many system patches at once, requiring you to reboot often. While this isn’t a bad thing, it is a pain for people who manage remote computers and may wish to roll out a slew of hotfixes in an easy way.
2. Many folks would rather not have the OS spending cycles doing something like this.
3. If disk space is really tight, some may be inclined to trash it altogether.

The world made it this far without WFP, so it’s not absolutely necessary. However, unless you routinely experience problems with it, it’s probably best either left alone or tweaked to a size that makes you comfortable.

How to manage or disable WFP

As always, you continue on at your own risk. Be sure to do proper backups and have an rdisk handy before ever tweaking the registry.

Both registry keys in question are found at:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon

The two relevant keys are SFCDisable and SfcQuota. The size of the dllcache can also be manipulated at the command prompt.

To disable:

1. Set (or create) the SFCDisable to REG_DWORD ‘ffffff9d’. (It should be currently set to ’0′)
2. Reboot.
3. Windows will not clean up the files, so if you want to trash them, you can, but leave the folder.
4. Check your event log and see that Windows has truly disabled it.

Other reports on the ‘net indicate that a value of ’1′ will disable WFP, but this seems to reset after another reboot.

To manage the size of dllcache:

You have two options 1) the registry, and 2) the easier command prompt option:

In the registry, set SfcQuota to the hexadecimal value that’s equivalent to the number of MB you’d like for the dllcache to take up.

If you don’t know hex, here’s some samples:

00000099 = 153 (MB).
0000004b = 75 (MB).
00000032 = 50 (MB).
0000000a = 10 (MB).
FFFFFFFF = Unlimited (default setting now)

When you’re done, run sfc /snannow for good measure, and reboot.

Using the sfc command, it gets much easier. At the command prompt, type:

sfc /cachesize=X

where X is measured in MB. For instance, X=50 sets the cache to 50MB.

When done, run sfc /scannow for good measure, and reboot.

How to relocate the dllcache

As always, you continue on at your own risk. Be sure to do proper backups and have an rdisk handy before ever tweaking the registry.

You will need to create a registry key in this location. Use regedt32 for this operation:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon

Create a value of SFPGDllCacheDir, with data type REG_SZ_EXPAND. The string is the path where you want the folder to live. It will append the folder to that location. Some examples:

%systemroot%\system32 (the default)

\\PhatServer\sneakypoo$\admin (the admin folder in the hidden share sneakypoo, on the server PhatServer)